From 017dc9f6e1f3d42ce32ed0e5ec36ced8c6a099c7 Mon Sep 17 00:00:00 2001 From: Tyler Starr Date: Sun, 21 Jul 2024 12:23:19 -0700 Subject: [PATCH] finish migration from sops to agenix for kestrel --- provision/age-secrets/secrets.nix | 1 + provision/age-secrets/wireguard/kestrel.age | 7 +++ provision/flake.lock | 54 +-------------------- provision/flake.nix | 7 +-- provision/hosts/kestrel/configuration.nix | 2 +- provision/hosts/torus/nextcloud.nix | 9 +++- provision/modules/system/secrets.nix | 27 +++-------- provision/secrets/secrets.yaml | 30 ------------ 8 files changed, 26 insertions(+), 111 deletions(-) create mode 100644 provision/age-secrets/wireguard/kestrel.age delete mode 100644 provision/secrets/secrets.yaml diff --git a/provision/age-secrets/secrets.nix b/provision/age-secrets/secrets.nix index c816a817..89550ea6 100644 --- a/provision/age-secrets/secrets.nix +++ b/provision/age-secrets/secrets.nix @@ -7,4 +7,5 @@ let in { "git/github_personal.age".publicKeys = users ++ systems; + "wireguard/kestrel.age".publicKeys = users ++ systems; } diff --git a/provision/age-secrets/wireguard/kestrel.age b/provision/age-secrets/wireguard/kestrel.age new file mode 100644 index 00000000..b1ca2c4f --- /dev/null +++ b/provision/age-secrets/wireguard/kestrel.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 c/r/0Q KriaXwwwYpEr689PVJe0qCiK1WDblJD/boDwH+uTHCY +gHKQjeASR+ZPAKa7Ph1PplSHBoeyXMI2Ag/hUkFyNvo +-> ssh-ed25519 Fz/sQw dZH3A+0pULWs0Div+YLaQN/wjozElJn5dhotvYV98DQ +XU0mv/c5/jx5h9vQ6D+SuJVX5wasv8OPvhMy4NLHSF8 +--- 8Bz5sfpZmMuEYmUkGmfZ6ZhDRfEBbSrPnWUuVqzLZxU +?I1clC-}n~]mAK1LsMKo;rEhʭ4UUWළwb*. \ No newline at end of file diff --git a/provision/flake.lock b/provision/flake.lock index 62494f70..ad143398 100644 --- a/provision/flake.lock +++ b/provision/flake.lock @@ -296,22 +296,6 @@ "type": "github" } }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1719720450, - "narHash": "sha256-57+R2Uj3wPeDeq8p8un19tzFFlgWiXJ8PbzgKtBgBX8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "78f8641796edff3bfabbf1ef5029deadfe4a21d0", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "release-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs_2": { "locked": { "lastModified": 1719075281, @@ -344,22 +328,6 @@ "type": "github" } }, - "nixpkgs_4": { - "locked": { - "lastModified": 1719468428, - "narHash": "sha256-vN5xJAZ4UGREEglh3lfbbkIj+MPEYMuqewMn4atZFaQ=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "1e3deb3d8a86a870d925760db1a5adecc64d329d", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "root": { "inputs": { "agenix": "agenix", @@ -367,27 +335,7 @@ "hyprland": "hyprland", "hyprland-contrib": "hyprland-contrib", "jovian-nixos": "jovian-nixos", - "nixpkgs": "nixpkgs_3", - "sops-nix": "sops-nix" - } - }, - "sops-nix": { - "inputs": { - "nixpkgs": "nixpkgs_4", - "nixpkgs-stable": "nixpkgs-stable" - }, - "locked": { - "lastModified": 1720187017, - "narHash": "sha256-Zq+T1Bvd0ShZB9XM+bP0VJK3HjsSVQBLolkaCLBQnfQ=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "1b11e208cee97c47677439625dc22e5289dcdead", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" + "nixpkgs": "nixpkgs_3" } }, "systems": { diff --git a/provision/flake.nix b/provision/flake.nix index cfb36b44..cc7c8b50 100644 --- a/provision/flake.nix +++ b/provision/flake.nix @@ -11,7 +11,6 @@ url = "git+https://github.com/Jovian-Experiments/Jovian-NixOS?ref=development"; flake = false; }; - sops-nix.url = "github:Mic92/sops-nix"; agenix.url = "github:ryantm/agenix"; hyprland.url = "github:hyprwm/Hyprland"; hyprland-contrib = { @@ -20,7 +19,7 @@ }; }; - outputs = inputs @ { self, nixpkgs, home-manager, jovian-nixos, sops-nix, agenix,hyprland, ... }: + outputs = inputs @ { self, nixpkgs, home-manager, jovian-nixos, agenix, hyprland, ... }: let system = "x86_64-linux"; pkgs = import nixpkgs { @@ -37,7 +36,6 @@ ./modules ./hosts/kestrel/configuration.nix ./hosts/kestrel/hardware.nix - sops-nix.nixosModules.sops agenix.nixosModules.default home-manager.nixosModules.home-manager { home-manager.useGlobalPkgs = true; @@ -60,7 +58,6 @@ ./modules ./hosts/shivan/configuration.nix ./hosts/shivan/hardware.nix - sops-nix.nixosModules.sops agenix.nixosModules.default home-manager.nixosModules.home-manager { home-manager.useGlobalPkgs = true; @@ -83,7 +80,6 @@ ./modules ./hosts/torus/configuration.nix ./hosts/torus/hardware.nix - sops-nix.nixosModules.sops agenix.nixosModules.default home-manager.nixosModules.home-manager { home-manager.useGlobalPkgs = true; @@ -106,7 +102,6 @@ ./modules ./hosts/bulwark/configuration.nix ./hosts/bulwark/hardware.nix - sops-nix.nixosModules.sops agenix.nixosModules.default home-manager.nixosModules.home-manager { home-manager.useGlobalPkgs = true; diff --git a/provision/hosts/kestrel/configuration.nix b/provision/hosts/kestrel/configuration.nix index 8c9690aa..e7ebcdec 100644 --- a/provision/hosts/kestrel/configuration.nix +++ b/provision/hosts/kestrel/configuration.nix @@ -105,7 +105,7 @@ terminal.enable = true; wireguard-client = { enable = true; - privateKeyFile = "/run/secrets/wireguard/kestrel"; + privateKeyFile = "/run/agenix/wireguard/kestrel"; address = [ "192.168.3.3/24" ]; publicKey = "bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ="; endpoint = "66.218.43.87"; diff --git a/provision/hosts/torus/nextcloud.nix b/provision/hosts/torus/nextcloud.nix index 0894d765..9d7b4a0a 100644 --- a/provision/hosts/torus/nextcloud.nix +++ b/provision/hosts/torus/nextcloud.nix @@ -4,6 +4,13 @@ cron ]; + # nextcloud secrets + age.secrets."nextcloud/password" = { + file = ../../age-secrets/nextcloud/password.age; + owner = "nextcloud"; + group = "nextcloud"; + }; + services = { nginx.virtualHosts = { "cloud.tstarr.us" = { @@ -37,7 +44,7 @@ config = { dbtype = "mysql"; adminuser = "admin"; - adminpassFile = "/run/secrets/nextcloud/password"; + adminpassFile = "/run/agenix/nextcloud/password"; }; }; }; diff --git a/provision/modules/system/secrets.nix b/provision/modules/system/secrets.nix index 73dc0490..53ac28b6 100644 --- a/provision/modules/system/secrets.nix +++ b/provision/modules/system/secrets.nix @@ -8,31 +8,18 @@ in { environment.systemPackages = [ inputs.agenix.packages.x86_64-linux.default ]; - + + # git secrets age.secrets."git/github_personal" = { file = ../../age-secrets/git/github_personal.age; owner = "${user}"; group = "users"; }; - sops = let - ncHost = (if config.networking.hostName == "torus" then "nextcloud" else "${user}"); - in { - defaultSopsFile = ../../secrets/secrets.yaml; - defaultSopsFormat = "yaml"; - age.keyFile = "/home/${user}/.config/sops/age/keys.txt"; - - # Keys - secrets."keys/github_personal" = { owner = "${user}"; }; - - # Nextcloud password - secrets."nextcloud/password" = { owner = "${ncHost}"; }; - - # Wireguard secrets - secrets."wireguard/kestrel" = { owner = "${user}"; }; - secrets."wireguard/bulwark" = { owner = "${user}"; }; - secrets."wireguard/adjudicator" = { owner = "${user}"; }; - secrets."wireguard/torus" = { owner = "${user}"; }; - }; + # wireguard secrets + age.secrets."wireguard/kestrel".file = ../../age-secrets/wireguard/kestrel.age; + #age.secrets."wireguard/bulwark".file = ../../age-secrets/wireguard/bulwark.age; + #age.secrets."wireguard/adjudicator".file = ../../age-secrets/wireguard/adjudicator.age; + #age.secrets."wireguard/torus".file = ../../age-secrets/wireguard/torus.age; }; } diff --git a/provision/secrets/secrets.yaml b/provision/secrets/secrets.yaml deleted file mode 100644 index 428d4fd7..00000000 --- a/provision/secrets/secrets.yaml +++ /dev/null @@ -1,30 +0,0 @@ -gitea-runner1: ENC[AES256_GCM,data:mS41F7iAiITBrlOsrU+r3KCXBek5maoBtrVoTLwc2xGvyyiuyt6lDQ==,iv:YqctzGA3AjCJa9kl6eJ5ILzmfQcSMeNYx1t6UiD3T00=,tag:cyyN3Orsx0qTojOdQdM4Eg==,type:str] -nextcloud: - password: ENC[AES256_GCM,data:qI3PV8ybqKQ=,iv:aXQyTUQ9twlmMx3j01cfk6gy/1fAfUxjYXs5QXPUTjU=,tag:kY+lM1qGm+8OCKgDnXZwSw==,type:str] -keys: - github_personal: ENC[AES256_GCM,data:JQ0l0VNKjgf2yq7nZSED+6gf27ILfkvkdJkcsBLcX0K5isogtlF8Y8zI28dqLsSmriHf7L52fy3LjXDVkxXl8XupyPxJF3roeAxtj2rwXhVxMkAAEcWCaFUpa1UI5I2LIV2Ne32Ug6I5CKLlEzWXs7AImYJmmw0B6cn1hPyHJKc0I0My5A2b6LJq5J7mrJJ+PnybDNPW7QvZ0hIcqjNIXv1gcf9XMo6RU0dYnnRJaf6w/D5Nvrj15OG6oCe2C7e7O+JjgjQahUOOTlp1/5bbTW5ZDWEUxIn4llCsrkjjdKkYrCmYhQ45NLk+ZpWgXJZLgbfgc25nUOiLOoGbxO7kXienrY1y+t7/UA5AqKHj6575Iy5wN+P/XqzQ6ARkBh5Jy5gvrGFBtxcHml5J/j8ROJ9CoHmiT0jNycEll2yFcnIqAIbPqPuuu341sErFT33SMRzxKmlmyCCjaJrZB423NHqLiTA8oQ+mmkvOaE3cmuEU5oCT7OhL+RELbMNWjNOz7weNNgbt+fyy/U+VmtobLCllhRFDo0I/OFuFZ/UUqqEAAjv/NPk5V+7yCtBb9CmFROD9cG9xxx0mdkt8GHXYML7mIrCe/8ILKm3oWSVEA5w=,iv:0my7Q3Uog/nu3A3IprXuRAMTYmSv9YV1bo3BSAk2wlk=,tag:u41VgXeMBb2righhXUrPUA==,type:str] -wireguard: - kestrel: ENC[AES256_GCM,data:RLDesKMUtpurv+C2YkxMcbBdiP6cHHUGRCYkgO5Qf6FZLxl4vKRyhTdDzWc=,iv:V/9bpCMTT9YQ8QCNYdpfrhu0lc4Yt5Eu0DJMc0uZkNA=,tag:kFnN7GwT4UKqUyvOdlbXxg==,type:str] - bulwark: ENC[AES256_GCM,data:wMMZ1zJ2nPvkAFA5SgcSyl1z+9blDqf/6pVp8olmGaXJsbWc+/gBtDKzTog=,iv:2lZdsFYZhiTumRmYN/q2606gpyS7lCjf4cgeaCIjoxo=,tag:o81+t3pRwfomEys1veQecA==,type:str] - adjudicator: ENC[AES256_GCM,data:sK2e6miw5UDLV0RQa/pSoI3boKn39/z+jEI0OSGQjhv6PXqIx4HiEtZJptM=,iv:2XjVv5gxL+E0fCzi1/3I1bbxLBOAYzmtu5S4VlZwyxU=,tag:8cahB2CJ4YDN/LSGqWUPnQ==,type:str] - torus: ENC[AES256_GCM,data:BPID5S71fSlwwu5HaYr25n1N7dznKCWx4CZ3VqppsC7Sc5envnGDm2nnqHU=,iv:8sYeuwxd4typ2n5xq0laQEwc1vc3cFbBx9B38q92/Z4=,tag:t7f8z/Jq3/fTNQasOOpgsA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age12g0gtcnhyaghs9vc5528yrstq4spe8p36fflhpwj79yz8jq9qg2s4v6mms - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RTFNMDd5K3Vza0plMFJr - ZFdpZ2VWV2JEdE1yOUdtS1FLbFp3alpIR25NCkN0dVhYaFZkY1pUQWRhaEY0SjYx - MFlaTjlYWFVLSnY1UmtJcmZobUZUUWcKLS0tIHBJb1lPRkJvcHNiVXhZeStuN2c1 - ajM3YlJYU21PaHRyaGlUNy84RHN2SE0KAvMFdqnfV0TzfNcBdY7OvRLZrBb9uXSI - 3y50yFhYnyXtWKLQFTwjN6S5dLaZgqhaGhEQyNCQxb5RGZJDR6g7Yw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-01T06:24:06Z" - mac: ENC[AES256_GCM,data:Y1YgnChiZb7168RqY1jP1LTMXanOhBz9LK72/ZbKZTRf50pNIsbOyfsk377sSQ7eemvROT3gTeFtWaLlgtY2bujegPiMiHDoDoVwJGzw4uBynr6/YSjOsO1TBLcTraJUfUBebF++5DsEcOD1jql1EHZ5hL+hwaAZYo5IXuLjlw0=,iv:WHep872Z0lQTZ2gx2fz6zHWpVCniDmJ9yueUDi9I0AQ=,tag:FuSSpg0EUylWhNR7sMjwVg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1